diff options
author | Matthias H <apoc@sixserv.org> | 2013-09-18 04:00:17 +0200 |
---|---|---|
committer | Matthias Hecker <apoc@sixserv.org> | 2013-11-14 12:32:47 +0000 |
commit | 85ee9672fce67d95bf8310af331a576f3492b863 (patch) | |
tree | cfe5b649d04ac84bca3811a29a0443cfa0ccce32 /lib/rbot | |
parent | a3fa2b3e2f962e1bb8dee7a99c8669bc60c52587 (diff) |
allow to verify ssl connections against a CA.
This adds three new configuration variables to configure
SSL verification against a CA.
server.ssl_verify: true if it should verify and disconnect
if it fails
server.ssl_ca_file: a CA file, is set to the systems CA
bundle by default (distri. dependent)
server.ssl_ca_path: alternativly path to a directory with
CA PEM files
I tested it and this seems no longer an issue with >= 1.9.3
https://www.braintreepayments.com/braintrust/sslsocket-verify_mode-doesnt-verify
Diffstat (limited to 'lib/rbot')
-rw-r--r-- | lib/rbot/ircbot.rb | 30 | ||||
-rw-r--r-- | lib/rbot/ircsocket.rb | 11 |
2 files changed, 39 insertions, 2 deletions
diff --git a/lib/rbot/ircbot.rb b/lib/rbot/ircbot.rb index d75d6b54..a1713c2d 100644 --- a/lib/rbot/ircbot.rb +++ b/lib/rbot/ircbot.rb @@ -278,6 +278,18 @@ class Bot Config.register Config::BooleanValue.new('server.ssl', :default => false, :requires_restart => true, :wizard => true, :desc => "Use SSL to connect to this server?") + Config.register Config::BooleanValue.new('server.ssl_verify', + :default => false, :requires_restart => true, + :desc => "Verify the SSL connection?", + :wizard => true) + Config.register Config::StringValue.new('server.ssl_ca_file', + :default => default_ssl_ca_file, :requires_restart => true, + :desc => "The CA file used to verify the SSL connection.", + :wizard => true) + Config.register Config::StringValue.new('server.ssl_ca_path', + :default => '', :requires_restart => true, + :desc => "Alternativly a directory that includes CA PEM files used to verify the SSL connection.", + :wizard => true) Config.register Config::StringValue.new('server.password', :default => false, :requires_restart => true, :desc => "Password for connecting to this server (if required)", @@ -608,7 +620,12 @@ class Bot debug "server.list is now #{@config['server.list'].inspect}" end - @socket = Irc::Socket.new(@config['server.list'], @config['server.bindhost'], :ssl => @config['server.ssl'], :penalty_pct =>@config['send.penalty_pct']) + @socket = Irc::Socket.new(@config['server.list'], @config['server.bindhost'], + :ssl => @config['server.ssl'], + :ssl_verify => @config['server.ssl_verify'], + :ssl_ca_file => @config['server.ssl_ca_file'], + :ssl_ca_path => @config['server.ssl_ca_path'], + :penalty_pct => @config['send.penalty_pct']) @client = Client.new @plugins.scan @@ -804,6 +821,17 @@ class Bot trap_signals end + # Determine (if possible) a valid path to a CA certificate bundle. + def default_ssl_ca_file + [ '/etc/ssl/certs/ca-certificates.crt', # Ubuntu/Debian + '/etc/ssl/certs/ca-bundle.crt', # Amazon Linux + '/etc/ssl/ca-bundle.pem', # OpenSUSE + '/etc/pki/tls/certs/ca-bundle.crt' # Fedora/RHEL + ].find do |file| + File.readable? file + end + end + def repopulate_botclass_directory template_dir = File.join Config::datadir, 'templates' if FileTest.directory? @botclass diff --git a/lib/rbot/ircsocket.rb b/lib/rbot/ircsocket.rb index 029d1ca5..e5131c2b 100644 --- a/lib/rbot/ircsocket.rb +++ b/lib/rbot/ircsocket.rb @@ -285,6 +285,9 @@ module Irc @lines_sent = 0 @lines_received = 0 @ssl = opts[:ssl] + @ssl_verify = opts[:ssl_verify] + @ssl_ca_file = opts[:ssl_ca_file] + @ssl_ca_path = opts[:ssl_ca_path] @penalty_pct = opts[:penalty_pct] || 100 end @@ -331,7 +334,13 @@ module Irc if(@ssl) require 'openssl' ssl_context = OpenSSL::SSL::SSLContext.new() - ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE + if @ssl_verify + ssl_context.ca_file = @ssl_ca_file if @ssl_ca_file and not @ssl_ca_file.empty? + ssl_context.ca_path = @ssl_ca_path if @ssl_ca_path and not @ssl_ca_path.empty? + ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER + else + ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE + end sock = OpenSSL::SSL::SSLSocket.new(sock, ssl_context) sock.sync_close = true sock.connect |